A
- Access control
- cryptography
- mobile devices
- organization requirements for
- risk management statement
- taking a fresh look at
- teleworking
- user access management
- management of privileged access rights
- management of secret authentication information of users
- removal and adjustment of user rights
- review of user access
- user access provisioning
- user registration and deregistration
- user responsibility
- access control to program source code
- information access restriction
- password management system
- privileged utility programs, use of
- secure log-in procedures
- Advanced Persistent Threat Awareness survey (2015)
- Airmic
- Align, plan, and organize (APO) domain
- Assurance and cyber risk management
- assurance maturity scenarios
- less mature assurance
- mature assurance
- combined assurance reporting by ERM head
- cyber risk management statement
- ever presence of cyber risk
- internal auditor's expectation of an organization managing cyber risks effectively
- case for combined assurance model
- combined assurance obtained by CEO
- risk assessment expected by internal audit
- role for a cybersecurity-specific line of defense
- role for an information, communication, and technology (ICT) unit
- roles for compliance and quality assurance
- roles for ERM and organization strategy to work closely with ICT
B
- Big Data analytics
- preparing for a Big Data policy
- employee policy content amendments
- “privacy by design” key content
- understanding Big Data risks
- Board cyber risk oversight
- barriers to action
- failure to link cybersecurity assessments to key organization objectives
- lack of reliable information on residual risk status
- lack of senior management ownership
- omission of cybersecurity from entity-level objectives and strategic plans
- too much focus on internal controls
- cybersecurity—the way forward
- expectations of boards
- practical steps boards should take to respond
- establish a risk management framework
- include top objectives and specific owners
- require regular reporting by the CEO
- use a “five lines of assurance” approach
- Bring your own devices (BYOD)
- choosing between BOYD policy options
- examples of BYOD policies
- preparing for a BYOD policy
- understanding BYOD risks
- Build, acquire, and implement (BAI) domain
- Business continuity management and cybersecurity
- cyber risk management statement
- developing and implementing BCM responses for cyber incidents
- embedding cybersecurity requirements in BCMS
- glossary of key terms
- good international practices for
- BCMS components and ISO 22301
- cyber and business continuity management system (BCMS)
C
- Center for Strategic and International Studies report (June 2014)
- CEO under pressure
- cyber risk handbook, need for
- Chapters listed by interest to functional type
- Chief information security officer (CISO). See Cyber competencies and the cybersecurity officer
- Cisco study
- City University of Hong Kong Human Resource Security Standard
- Cloud computing and third-party vendors
- preparing for a cloud computing policy
- procuring cloud provider services effectively
- customer agreement key content
- understanding cloud computing risks
- Cloud/SaaS applications
- in-house developed applications
- COBIT 5 domains, and support of complete cybersecurity life cycle
- benefits of process enablers
- reasons for using a COBIT 5 process enabler approach
- COBIT 5 for information security
- COBIT 5 GEIT principles
- applying a single, integrated framework
- covering the enterprise end to end
- addressing uncertainty
- creating and protection value
- tailoring
- enabling a holistic approach
- being part of decision making
- considering human and cultural factors
- integrating into the organization
- using the best available information
- meeting stakeholder needs
- being responsive to change
- being transparent and inclusive
- separating governance from management
- maturity strategy and continual improvement
- COBIT 5 processes, leveraging
- components of cybersecurity processes
- cybersecurity practices and activities
- different types working together
- align, plan, and organize (APO) domain
- build, acquire, and implement (BAI) domain
- deliver, service, and support (DSS) domain
- evaluate, direct, and monitor (EDM) domain
- monitor, evaluate, and assess (MEA) domain
- Commercial off-the-shelf applications
- “Corporate Culture and the Role of Boards” (FRC, 2016)
- Crisis decision-making unit (CDU)
- Crisis management
- unique characteristics of
- Cryptography
- Culture and human factors
- cyber risk management statement
- frameworks and standards
- business model for information security (BMIS)
- ISO 27001:2013
- NIST framework
- human factors and cybersecurity
- insider threats
- social engineering threats
- organizations as social systems
- cybersecurity not merely a technology issue
- organizational culture
- technology trends and human factors
- measuring human behaviors for security
- reducing cyber risks that occur due to human mistakes
- training
- Cyber competencies and the cybersecurity officer
- CISO, duality of
- executive strategist
- key attributes for
- RASCI matrix cyber roles
- should report to CEO
- technical specialist
- cyber risk management statement
- evolving information security professional
- job responsibilities and tasks
- information risk management and compliance
- information security governance
- information security incident management
- information security program development and management
- Cyber crisis management steps
- alert and qualification
- carrying out the investigation and building a defense plan
- building the defense plan
- starting investigations
- crisis closure
- executing the plan and surveillance
- Cyber risk insurance
- management statement
- market constraints
- capacity
- insurance placement
- regulatory
- planning for
- conducting pre-breach education and planning
- creating a breach business continuity plan
- developing an incident response plan and crisis management plan
- reviewing or implementing cyber insurance
- risk manager's perspective on planning for
- Cyber risk–managed organization
- Cyber risk management, principles behind
- applying a single, integrated framework
- covering the enterprise end to end
- addressing uncertainty
- creating and protection value
- tailoring
- enabling a holistic approach
- being part of decision making
- considering human and cultural factors
- integrating into the organization
- using the best available information
- meeting stakeholder needs
- being responsive to change
- being transparent and inclusive
- principles guiding actions
- separating governance from management
- maturity strategy and continual improvement
- “Cyber Risk Oversight” guide (NACD, 2014)
- Cyber risks
- identifying, analyzing, and evaluating
- cyber risk management statement
- landscape of risk
- maturing security
- people factor
- prioritizing protection
- regulatory compliance
- security culture
- structured approach to assessing and managing risk
- treating
- alignment of treatment
- applying necessary measures and reacting effectively
- cyber risk management statement
- determining cyber risk profile
- practicing treatment
- treating with the proper nuance in line with an organization's risk profile
- using process capabilities
- using insurance and finance
- Cyber strategic performance management
- creating an effective cybersecurity performance management system
- measuring capability
- measuring progress against initiatives
- measuring protection
- cyber risk management statement
- cybersecurity strategy required to measure cybersecurity performance
- cybersecurity capabilities
- organization risk assessment
- portfolio of initiatives
- target state protections
- pitfalls in measuring cybersecurity performance
- Cybersecurity incident and crisis management
- crisis management
- cyber crisis management steps
- going from incident to
- operating principles
- operational cybersecurity crisis unit, structuring and mobilizing
- tools and techniques for managing a cyber crisis
- cyber risk management statement
- incident management
- external incident identification
- incident must-have checklist
- integrating incident reporting with enterprise-wide risk management (ERM)
- internal incident identification
- policy and process steps, following
- qualifying incidents
- when an event becomes an incident
- Cybersecurity lending practices
- Cybersecurity policies and procedures
- Big Data analytics
- preparing for a Big Data policy
- understanding Big Data risks
- cloud computing and third-party vendors
- preparing for a cloud computing policy
- procuring cloud provider services effectively
- understanding cloud computing risks
- cyber risk management statement
- Internet of Things (IoT)
- preparing for an IoT policy
- understanding IoT risks
- mobile or bring your own devices (BYOD)
- choosing between BOYD policy options
- examples of BYOD policies
- preparing for a BYOD policy
- understanding BYOD risks
- ransomware risk policies and procedures
- preparing for a ransomware policy
- understanding ransomware risks
- social media risk policy
- choose between social media policy options
- examples of social media policies
- preparing for a social media policy
- understanding social media risks
- Cybersecurity, state of
- global cyber crisis
- increasing cyber risk management maturity
- time for change
- Cybersecurity systems
- cyber risk management statement
- incorporating cybersecurity requirements and establishing sound practices
- application life cycle and typical controls
- development and implementation
- governance and planning
- maintenance and operations
- sunset and disposal
- specific considerations
- cloud/SaaS applications
- commercial off-the-shelf applications
- CyberSmart capabilities
- CyberSmart maturity model
- culture, ethics, and behavior
- governance and risk oversight
- organizational structures and design
- processes
- resources in architecture—services, infrastructure, and applications
- resources in information assets
- resources in people, skills, and competencies as assets
D
- Decommissioning a system
- Deliver, service, and support (DSS) domain
- Digital governance gap
- Digital leadership and emergence of digital risk and digital risk officer
- Digital quotient
E
- Embedded risk management processes, using
- Enterprise risk management, integrating cyber risk management into
- Enterprise-wide risk management
- digital governance gap
- people risk management system
- European Union Agency for Network and Information Security (ENISA)
- Evaluate, direct, and monitor (EDM) domain
- External context and supply chain
- building cybersecurity management capabilities from an external perspective
- avoiding silos to focus on external and internal alignment
- cybersecurity task force to focus on maturity targets
- integrating supply chain capability
- private-sector and policymaker recommendations to improve global cyber governance
- seven key roles to drive capability
- cyber risk management statement
- external context
- to the growing importance of cyber risk and IT failure
- specific to cyber risks
- and supply chain and third parties
- transportation cyber attack, example of
- transportation sector's key role in supply chain
- measuring cybersecurity management capabilities from an external perspective
- supply chain risk maturity measured by peer organizations
F
- Fiat Chrysler
- Financial impact modeling, constraints on
- Financial Reporting Council (FRC)
- “Five lines of assurance” approach
- “Framework for Improving Critical Infrastructure Cybersecurity” version 1.0
- Frameworks and standards
- business model for information security (BMIS)
- ISO 27001:2013
- NIST framework
G
- General Data Protection Regulation (GDPR) (EU)
- Generation Y employees
- “Global State of Information Security Survey 2016”
- Glossary of commonly used terms
- Governance and planning
- defining security requirements
- establishing policies and procedures
- Groupthink as a bias
H
- Handbook structure, rationale, and benefits
- balance and objectivity
- enterprise-wide comprehensiveness
- moving up the risk maturity curve
- Handbook structured for the enterprise
- conceptualizing cybersecurity for organization-wide solutions
- cyber risk maturity model
- theming the right set of capabilities
- Human factors and cybersecurity
- insider threats
- social engineering threats
- Human Impact Management for Information Security (HIMIS)
- Human resources security
- cyber risk management statement
- higher-maturity HR functions
- academia
- certified professionals
- lower-maturity HR functions, needs of
- HR security standard, example of
- mid-maturity HR functions
- certifiable international standard, capabilities to meet
I
- Incident and crisis management. See Cybersecurity incident and crisis management
- Information asset management for cyber
- best practices
- cyber risk management statement
- cybersecurity for the future
- from exploitation to attack
- new opportunities for network agility
- observe, orient, decide, and act (OODA)
- reimagining the attack surface
- invisible attacker
- thinking like a general
- time to act
- troubling trend
- Information risk management and compliance
- Information Security Forum (ISF)
- standard of good practice for information security
- Information security governance
- Information security incident management
- Information security program development and management
- Institute of Internal Audit
- Internal organization context
- cyber risk management statement
- cybersecurity within the enterprise
- standards and guidance approaches
- tailoring cybersecurity to enterprise exposures
- aligning cybersecurity within enterprise functions
- designing a cyber risk function operating model
- governance and risk oversight functions for cybersecurity
- IT-related executive management functions for cybersecurity
- typical enterprise functional roles most involved in cybersecurity
- International Organization for Standardization (ISO)
- Internet of Things (IoT)
- preparing for an IoT policy
- understanding IoT risks
- ISO 22301
- ISO 27001
- ISO 31000
- ISO/IEC 27000 family
- IT capability maturity framework—information security management (IT-CMF:ISM)
- IT-related executive management functions for cybersecurity
- CISO should report to CEO
- emergence of the digital risk officer (DRO)
- enterprise risk-related management functions for cybersecurity
- other enterprise management functions supporting cybersecurity
- RASCI matrix cyber roles
- for board members
- for CEO
- for CFO
- for CIO
- for CISO
- for COO
- for CRO
- for CSO
- for DRO
- for head of business continuity
- for head of corporate communications
- for head of human resources
- for head of insurance
- for head of physical security
- for head of supply chain
- for ISRC
- for internal audit function
- for legal counsel and compliance
- for risk committee
- variations to reporting and titles/roles
K
- Key risk indicators (KRIs), monitoring and reviewing
- definitions
- key control indicator
- key performance indicator
- key risk indicator
- design for cyber risk management
- case study
- dashboard samples tailored to stakeholders
- functional risk
- informing stakeholders
- inherent risk, residual risk, and big-picture KRIs
- linking objectives, risks, and controls
- organizational risk
- risk taxonomy
- KRI management statement
- Korn Ferry study (2016)
L
- Legal and compliance
- counsel's advice and “boom” planning
- boom and right of boom
- left of boom
- RASCI matrix role for legal counsel and compliance
- cyber risk management statement
- European Union and international regulatory schemes
- International Organization for Standardization (ISO)
- post-Brexit United Kingdom
- transfer of data out of the EU
- U.S. regulations
- cybersecurity negligence remains undefined
- forecasting the future U.S. cyber regulatory environment
- general fiduciary duty in the United States
- specific U.S. industry/sector regulations
M
- Maintenance and operations
- modification
- risk of impact
- secure operations
- McGregor, Douglas
- McKinsey Global
- Mobile or bring your own devices (BYOD)
- choosing between BYOD policy options
- examples of BYOD policies
- preparing for a BYOD policy
- understanding BYOD risks
- Mobile devices
- Monitor, evaluate, and assess (MEA) domain
N
- National Institute of Standards and Technology (NIST)
- information security standards
- IT security framework
- NIST computer/cybersecurity frameworks
O
- Operational cybersecurity crisis unit, structuring and mobilizing
- defense team
- investigation team
- steering team
- Operations and communications, cybersecurity for
- challenges from within
- changes
- data and its integrity
- digital revolution
- hindrances to cybersecurity operations
- knowing what you do not know
- people
- threat landscape
- what to do now
- adapting to your environment
- adapting your organization
- cyber risk management statement
- drive for clarity
- filling in the knowledge gap
- knowing your assets
- making cyber risk more tangible
- understanding the speed of change
- Organization risk assessment
P
- Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
- People risk management
- crisis management
- unique characteristics of
- cyber risk management statement
- enterprise-wide risk management
- digital governance gap
- people risk management system
- rise of the machines
- risk culture
- tomorrow's talent
- digital leadership and emergence of digital risk and digital risk officer
- digital quotient
- Physical security
- calculating or reviewing exposure to adversary attacks
- calculating the probability of interrupting the adversary
- simulating the path of an adversary
- committing to a plan
- cyber risk management statement
- designing or reviewing integrated security measures
- getting a clear view on physical security risk landscape and impact on cybersecurity
- key objectives for security measures
- managing or reviewing the cybersecurity organization
- optimizing return on security investment
- RASCI plan for physical security organization
- reworking the data center scenario
- understanding controls for data center scenario
- understanding objectives for security measures
- risk landscape heat map example
- security zone model example
- typical security design example
- Policies and procedures. See Cybersecurity policies and procedures
- Predefined risk appetite, managing cyber risks with
- PricewaterhouseCooper international survey (2016)
- Process capabilities, treating cyber risks using
- lack of intrinsic motivation to document
- moving routine actions to operations
- leveraging ISACA COBIT 5 processes
- undocumented processes
- Proctor, Paul
Q
- Quantified cost-benefit model, tailoring
- constraints on financial impact modeling
- cyber losses underinsured compared to property losses
- modeling cost-benefits of investments in insurance vs. cybersecurity
R
- Ransomware risk policies and procedures
- preparing for a ransomware policy
- understanding ransomware risks
- how cybercriminals spread ransomware
- RASCI matrix cyber roles
- for board members
- for CEO
- for CFO
- for CIO
- for CISO
- for COO
- for CRO
- for CSO
- for DRO
- for head of business continuity
- for head of corporate communications
- for head of human resources
- for head of insurance
- for head of physical security
- for head of supply chain
- for ISRC
- for internal audit function
- for legal counsel and compliance
- for risk committee
- Risk culture
- Risk insurance. See Cyber risk insurance
- Risk management maturity, improving
- RSA Conference/ISACA joint research
S
- SANS Top 20 CIS Critical Security Controls
- Secure engineering and development practices, importance of
- Security and acceptance testing
- Social media risk policy
- choose between social media policy options
- examples of social media policies
- personal social media policy for employees
- social media policy for corporate accounts
- prepare for your social media policy
- understand your social media risks
- Standards and frameworks for cybersecurity
- commonly used frameworks and standards
- COBIT 5 for information security
- European Union Agency for Network and Information Security (ENISA)
- ISF standard of good practice for information security
- ISO/IEC 27000 family
- IT capability maturity framework—information security management (IT-CMF:ISM)
- NIST computer/cybersecurity frameworks
- Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
- SANS Top 20
- World Economic Forum Cyber Risk Framework (WEF-CRF)
- constraints on standards and frameworks
- good practice consistently applied
- cyber risk management statement
- putting in context
- diversity as a blessing and curse
- first steps
- no “best” cybersecurity standard
- tailoring a choice of frameworks
- Strategic performance management. See Cyber strategic performance management
- Supply chain. See External context and supply chain
- Supply Chain Risk Leadership Council (SCRLC)
- Symantec Internet Security Threat Report (April 2016)
T
- Target data breach (2013)
- Teleworking
- Test data, protection of
- TrapX
U
- User access management
- management of privileged access rights
- management of secret authentication information of users
- removal and adjustment of user rights
- review of user access
- user access provisioning
- user registration and deregistration
- User responsibility
- access control to program source code
- information access restriction
- password management system
- privileged utility programs, use of
W
- World Economic Forum
- World Economic Forum Cyber Risk Framework (WEF-CRF)
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.